'\" te
.\" This manual page is derived from documentation obtained from The Massachusetts Institute of Technology.
.\" Portions Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH KDB5_LDAP_UTIL 8 "June 20, 2021"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.SH SYNOPSIS
.nf
\fBkdb5_ldap_util\fR  [\fB-D\fR \fIuser_dn\fR [\fB-w\fR \fIpasswd\fR]] [\fB-H\fR \fIldap_uri\fR] \fIcommand\fR
     [\fIcommand_options\fR]
.fi

.SH DESCRIPTION
The \fBkdb5_ldap_util\fR utility allows an administrator to manage realms,
Kerberos services, and ticket policies. The utility offers a set of general
options, described under OPTIONS, and a set of commands, which, in turn, have
their own options. Commands and their options are described in their own
subsections, below.
.SH OPTIONS
\fBkdb5_ldap_util\fR has a small set of general options that apply to the
\fBkdb5_ldap_util\fR utility itself and a larger number of options that apply
to specific commands. A number of these command-specific options apply to
multiple commands and are described in their own section, below.
.SS "General Options"
The following general options are supported:
.sp
.ne 2
.na
\fB\fB-D\fR \fIuser_dn\fR\fR
.ad
.sp .6
.RS 4n
Specifies the distinguished name (DN) of a user who has sufficient rights to
perform the operation on the LDAP server.
.RE

.sp
.ne 2
.na
\fB\fB-H\fR \fIldap_uri\fR\fR
.ad
.sp .6
.RS 4n
Specifies the URI of the LDAP server.
.RE

.sp
.ne 2
.na
\fB\fB-w\fR \fIpasswd\fR\fR
.ad
.sp .6
.RS 4n
Specifies the password of \fIuser_dn\fR. This option is not recommended.
.RE

.SS "Common Command-specific Options"
The following options apply to a number of \fBkdb5_ldap_util\fR commands.
.sp
.ne 2
.na
\fB\fB-subtrees\fR \fIsubtree_dn_list\fR\fR
.ad
.sp .6
.RS 4n
Specifies the list of subtrees containing the principals of a realm. The list
contains the DNs of the subtree objects separated by a colon.
.RE

.sp
.ne 2
.na
\fB\fB-sscope\fR \fIsearch_scope\fR\fR
.ad
.sp .6
.RS 4n
Specifies the scope for searching the principals under a subtree. The possible
values are 1 or \fBone\fR (one level), 2 or \fBsub\fR (subtrees).
.RE

.sp
.ne 2
.na
\fB\fB-containerref\fR \fIcontainer_reference_dn\fR\fR
.ad
.sp .6
.RS 4n
Specifies the DN of the container object in which the principals of a realm
will be created. If the container reference is not configured for a realm, the
principals will be created in the realm container.
.RE

.sp
.ne 2
.na
\fB\fB-maxtktlife\fR \fImax_ticket_life\fR\fR
.ad
.sp .6
.RS 4n
Specifies maximum ticket life for principals in this realm.
.RE

.sp
.ne 2
.na
\fB\fB-maxrenewlife\fR \fImax_renewable_ticket_life\fR\fR
.ad
.sp .6
.RS 4n
Specifies maximum renewable life of tickets for principals in this realm.
.RE

.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
Specifies the Kerberos realm of the database; by default the realm returned by
\fBkrb5_default_local_realm\fR(3LIB) is used.
.RE

.SH \fBkdb5_ldap_util\fR COMMANDS
The \fBkdb5_ldap_util\fR utility comprises a set of commands, each with its own
set of options. These commands are described in the following subsections.
.SS "The \fBcreate\fR Command"
The \fBcreate\fR command creates a realm in a directory. The command has the
following syntax:
.sp
.in +2
.nf
create \e
[-subtrees \fIsubtree_dn_list\fR]
[-sscope \fIsearch_scope\fR]
[-containerref \fIcontainer_reference_dn\fR]
[-k \fImkeytype\fR]
[-m|-P \fIpassword\fR| -sf \fIstashfilename\fR]
[-s]
[-r \fIrealm\fR]
[-maxtktlife \fImax_ticket_life\fR]
[-kdcdn \fIkdc_service_list\fR]
[-admindn \fIadmin_service_list\fR]
[-maxrenewlife \fImax_renewable_ticket_life\fR]
[\fIticket_flags\fR]
.fi
.in -2
.sp

.sp
.LP
The \fBcreate\fR command has the following options:
.sp
.ne 2
.na
\fB\fB-subtree\fR \fIsubtree_dn_list\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-sscope\fR \fIsearch_scope\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-containerref\fR \fIcontainer_reference_dn\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-k\fR \fImkeytype\fR\fR
.ad
.sp .6
.RS 4n
Specifies the key type of the master key in the database; the default is that
given in \fBkdc.conf\fR(5).
.RE

.sp
.ne 2
.na
\fB\fB-m\fR\fR
.ad
.sp .6
.RS 4n
Specifies that the master database password should be read from the TTY rather
than fetched from a file on the disk.
.RE

.sp
.ne 2
.na
\fB\fB-P\fR \fIpassword\fR\fR
.ad
.sp .6
.RS 4n
Specifies the master database password. This option is not recommended.
.RE

.sp
.ne 2
.na
\fB\fB-sf\fR \fIstashfilename\fR\fR
.ad
.sp .6
.RS 4n
Specifies the stash file of the master database password.
.RE

.sp
.ne 2
.na
\fB\fB-s\fR\fR
.ad
.sp .6
.RS 4n
Specifies that the stash file is to be created.
.RE

.sp
.ne 2
.na
\fB\fB-maxtktlife\fR \fImax_ticket_life\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-maxrenewlife\fR \fImax_renewable_ticket_life\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fIticket_flags\fR\fR
.ad
.sp .6
.RS 4n
Specifies the ticket flags. If this option is not specified, by default, none
of the flags are set. This means all the ticket options will be allowed and no
restriction will be set. See "Ticket Flags" for a list and descriptions of
these flags.
.RE

.SS "The \fBmodify\fR Command"
The \fBmodify\fR command modifies the attributes of a realm. The command has
the following syntax:
.sp
.in +2
.nf
modify \e
[-subtrees \fIsubtree_dn_list\fR]
[-sscope \fIsearch_scope\fR]
[-containerref \fIcontainer_reference_dn\fR]
[-r \fIrealm\fR]
[-maxtktlife \fImax_ticket_life\fR]
[-maxrenewlife \fImax_renewable_ticket_life\fR]
[\fIticket_flags\fR]
.fi
.in -2
.sp

.sp
.LP
The \fBmodify\fR command has the following options:
.sp
.ne 2
.na
\fB\fB-subtree\fR \fIsubtree_dn_list\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-sscope\fR \fIsearch_scope\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-containerref\fR \fIcontainer_reference_dn\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-maxtktlife\fR \fImax_ticket_life\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-maxrenewlife\fR \fImax_renewable_ticket_life\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fIticket_flags\fR\fR
.ad
.sp .6
.RS 4n
Specifies the ticket flags. If this option is not specified, by default, none
of the flags are set. This means all the ticket options will be allowed and no
restriction will be set. See "Ticket Flags" for a list and descriptions of
these flags.
.RE

.SS "The \fBview\fR Command"
The \fBview\fR command displays the attributes of a realm. The command has the
following syntax:
.sp
.in +2
.nf
view [-r \fIrealm\fR]
.fi
.in -2
.sp

.sp
.LP
The \fBview\fR command has the following option:
.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.SS "The \fBdestroy\fR Command"
The \fBdestroy\fR command destroys a realm, including the master key stash
file. The command has the following syntax:
.sp
.in +2
.nf
destroy [-f] [-r \fIrealm\fR]
.fi
.in -2
.sp

.sp
.LP
The \fBdestroy\fR command has the following options:
.sp
.ne 2
.na
\fB\fB-f\fR\fR
.ad
.sp .6
.RS 4n
If specified, \fBdestroy\fR does not prompt you for confirmation.
.RE

.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.SS "The \fBlist\fR Command"
The \fBlist\fR command displays the names of realms. The command has the
following syntax:
.sp
.in +2
.nf
list
.fi
.in -2
.sp

.sp
.LP
The \fBlist\fR command has no options.
.SS "The \fBstashsrvpw\fR Command"
The \fBstashsrvpw\fR command enables you to store the password for service
object in a  file so that a KDC and Administration server can use it to
authenticate to the LDAP server. The command has the following syntax:
.sp
.in +2
.nf
stashsrvpw [-f \fIfilename\fR] \fIservicedn\fR
.fi
.in -2
.sp

.sp
.LP
The \fBstashsrvpw\fR command has the following option and argument:
.sp
.ne 2
.na
\fB\fB-f\fR \fIfilename\fR\fR
.ad
.sp .6
.RS 4n
Specifies the complete path of the service password file. The default is:
.sp
.in +2
.nf
/var/krb5/service_passwd
.fi
.in -2
.sp

.RE

.sp
.ne 2
.na
\fB\fIservicedn\fR\fR
.ad
.sp .6
.RS 4n
Specifies the distinguished name (DN) of the service object whose password is
to be stored in file.
.RE

.SS "The \fBcreate_policy\fR Command"
The \fBcreate_policy\fR command creates a ticket policy in a directory. The
command has the following syntax:
.sp
.in +2
.nf
create_policy \e
[-r \fIrealm\fR]
[-maxtktlife \fImax_ticket_life\fR]
[-maxrenewlife \fImax_renewable_ticket_life\fR]
[\fIticket_flags\fR]
\fIpolicy_name\fR
.fi
.in -2
.sp

.sp
.LP
The \fBcreate_policy\fR command has the following options:
.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-maxtktlife\fR \fImax_ticket_life\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-maxrenewlife\fR \fImax_renewable_ticket_life\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fIticket_flags\fR\fR
.ad
.sp .6
.RS 4n
Specifies the ticket flags. If this option is not specified, by default, none
of the flags are set. This means all the ticket options will be allowed and no
restriction will be set. See "Ticket Flags" for a list and descriptions of
these flags.
.RE

.sp
.ne 2
.na
\fB\fIpolicy_name\fR\fR
.ad
.sp .6
.RS 4n
Specifies the name of the ticket policy.
.RE

.SS "The \fBmodify_policy\fR Command"
The \fBmodify_policy\fR command modifies the attributes of a ticket policy. The
command has the following syntax:
.sp
.in +2
.nf
modify_policy \e
[-r \fIrealm\fR]
[-maxtktlife \fImax_ticket_life\fR]
[-maxrenewlife \fImax_renewable_ticket_life\fR]
[\fIticket_flags\fR]
\fIpolicy_name\fR
.fi
.in -2
.sp

.sp
.LP
The \fBmodify_policy\fR command has the same options and argument as those for
the \fBcreate_policy\fR command.
.SS "The \fBview_policy\fR Command"
The \fBview_policy\fR command displays the attributes of a ticket policy. The
command has the following syntax:
.sp
.in +2
.nf
view_policy [-r \fIrealm\fR] \fIpolicy_name\fR
.fi
.in -2
.sp

.sp
.LP
The \fBview_policy\fR command has the following options:
.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fIpolicy_name\fR\fR
.ad
.sp .6
.RS 4n
Specifies the name of the ticket policy.
.RE

.SS "The \fBdestroy_policy\fR Command"
The \fBdestroy_policy\fR command destroys an existing ticket policy. The
command has the following syntax:
.sp
.in +2
.nf
destroy_policy [-r \fIrealm\fR] [-force] \fIpolicy_name\fR
.fi
.in -2
.sp

.sp
.LP
The \fBdestroy_policy\fR command has the following options:
.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.sp
.ne 2
.na
\fB\fB-force\fR\fR
.ad
.sp .6
.RS 4n
Forces the deletion of the policy object. If not specified, you will be
prompted for confirmation before the policy is deleted. Enter \fByes\fR to
confirm the deletion.
.RE

.sp
.ne 2
.na
\fB\fIpolicy_name\fR\fR
.ad
.sp .6
.RS 4n
Specifies the name of the ticket policy.
.RE

.SS "The \fBlist_policy\fR Command"
The \fBlist_policy\fR command lists the ticket policies in the default or a
specified realm. The command has the following syntax:
.sp
.in +2
.nf
list_policy [-r \fIrealm\fR]
.fi
.in -2
.sp

.sp
.LP
The \fBlist_policy\fR command has the following option:
.sp
.ne 2
.na
\fB\fB-r\fR \fIrealm\fR\fR
.ad
.sp .6
.RS 4n
See "Common Command-specific Options," above.
.RE

.SH TICKET FLAGS
A number of \fBkdb5_ldap_util\fR commands have \fBticket_flag\fR options. These
flags are described as follows:
.sp
.ne 2
.na
\fB\fB{-|+}allow_dup_skey\fR\fR
.ad
.sp .6
.RS 4n
\fB-allow_dup_skey\fR disables user-to-user authentication for principals by
prohibiting principals from obtaining a session key for another user. This
setting sets the \fBKRB5_KDB_DISALLOW_DUP_SKEY\fR flag. \fB+allow_dup_skey\fR
clears this flag.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}allow_forwardable\fR\fR
.ad
.sp .6
.RS 4n
\fB-allow_forwardable\fR prohibits principals from obtaining forwardable
tickets. This setting sets the \fBKRB5_KDB_DISALLOW_FORWARDABLE\fR flag.
\fB+allow_forwardable\fR clears this flag.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}allow_postdated\fR\fR
.ad
.sp .6
.RS 4n
\fB-allow_postdated\fR prohibits principals from obtaining postdated tickets.
This setting sets the \fBKRB5_KDB_DISALLOW_POSTDATED\fR flag.
\fB+allow_postdated\fR clears this flag.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}allow_proxiable\fR\fR
.ad
.sp .6
.RS 4n
\fB-allow_proxiable\fR prohibits principals from obtaining proxiable tickets.
This setting sets the \fBKRB5_KDB_DISALLOW_PROXIABLE\fR flag.
\fB+allow_proxiable\fR clears this flag.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}allow_renewable\fR\fR
.ad
.sp .6
.RS 4n
\fB-allow_renewable\fR prohibits principals from obtaining  renewable tickets.
This setting sets the \fBKRB5_KDB_DISALLOW_RENEWABLE\fR flag.
\fB+allow_renewable\fR clears this flag.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}allow_svr\fR\fR
.ad
.sp .6
.RS 4n
\fB-allow_svr\fR prohibits the issuance of service tickets for principals. This
setting sets the \fBKRB5_KDB_DISALLOW_SVR\fR flag.  \fB+allow_svr\fR clears
this flag.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}allow_tgs_req\fR\fR
.ad
.sp .6
.RS 4n
\fB-allow_tgs_req\fR specifies that a Ticket-Granting Service (TGS) request for
a service ticket for principals is not permitted. This option is useless for
most purposes.  \fB+allow_tgs_req\fR clears this flag. The default is
\fB+allow_tgs_req\fR. In  effect, \fB-allow_tgs_req\fR sets the
\fBKRB5_KDB_DISALLOW_TGT_BASED\fR flag on principals in the database.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}allow_tix\fR\fR
.ad
.sp .6
.RS 4n
\fB-allow_tix\fR forbids the issuance of any tickets for principals.
\fB+allow_tix\fR clears this flag. The default is \fB+allow_tix\fR. In effect,
\fB-allow_tix\fR sets the \fBKRB5_KDB_DISALLOW_ALL_TIX\fR flag on principals in
the database.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}needchange\fR\fR
.ad
.sp .6
.RS 4n
\fB+needchange\fR sets a flag in the attributes field to force a password
change; \fB-needchange\fR clears that flag. The default is \fB-needchange\fR.
In effect, \fB+needchange\fR sets the \fBKRB5_KDB_REQUIRES_PWCHANGE\fR flag on
principals in the database.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}password_changing_service\fR\fR
.ad
.sp .6
.RS 4n
\fB+password_changing_service\fR sets a flag in the attributes field marking a
principal as a password-change-service principal (a designation that is most
often not useful). \fB-password_changing_service\fR clears the flag. That this
flag has a long name is intentional. The default is
\fB-password_changing_service\fR. In effect, \fB+password_changing_service\fR
sets the \fBKRB5_KDB_PWCHANGE_SERVICE\fR flag on principals in the database.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}requires_hwauth\fR\fR
.ad
.sp .6
.RS 4n
\fB+requires_hwauth\fR requires principals to preauthenticate using a hardware
device before being allowed to \fBkinit\fR(1).  This setting sets the
\fBKRB5_KDB_REQUIRES_HW_AUTH\fR flag. \fB-requires_hwauth\fR clears this flag.
.RE

.sp
.ne 2
.na
\fB\fB{-|+}requires_preauth\fR\fR
.ad
.sp .6
.RS 4n
+\fBrequires_preauth\fR requires principals to preauthenticate before being
allowed to \fBkinit\fR(1). This setting sets the
\fBKRB5_KDB_REQUIRES_PRE_AUTH\fR flag. \fB-requires_preauth\fR clears this
flag.
.RE

.SH EXAMPLES
\fBExample 1 \fRUsing \fBcreate\fR
.sp
.LP
The following is an example of the use of the \fBcreate\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU\fR
Password for "cn=admin,o=org":  \fIpassword entered\fR
Initializing database for realm 'ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: \fImaster key entered\fR
Re-enter KDC database master key to verify: \fImaster key re-entered\fR
.fi
.in -2
.sp

.LP
\fBExample 2 \fRUsing \fBmodify\fR
.sp
.LP
The following is an example of the use of the \fBmodify\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
modify +requires_preauth -r ATHENA.MIT.EDU\fR
Password for "cn=admin,o=org":  \fIpassword entered\fR
Password for "cn=admin,o=org":  \fIpassword entered\fR
.fi
.in -2
.sp

.LP
\fBExample 3 \fRUsing \fBview\fR
.sp
.LP
The following is an example of the use of the \fBview\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
view -r ATHENA.MIT.EDU\fR
           Password for "cn=admin,o=org":
                              Realm Name: ATHENA.MIT.EDU
                                 Subtree: ou=users,o=org
                                 Subtree: ou=servers,o=org
                             SearchScope: ONE
                     Maximum ticket life: 0 days 01:00:00
                  Maximum renewable life: 0 days 10:00:00
                            Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
.fi
.in -2
.sp

.LP
\fBExample 4 \fRUsing \fBdestroy\fR
.sp
.LP
The following is an example of the use of the \fBdestroy\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
destroy -r ATHENA.MIT.EDU\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
(type 'yes' to confirm)? \fByes\fR
OK, deleting database of 'ATHENA.MIT.EDU'...
.fi
.in -2
.sp

.LP
\fBExample 5 \fRUsing \fBlist\fR
.sp
.LP
The following is an example of the use of the \fBlist\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
Re-enter Password for "cn=admin,o=org": \fIpassword re-entered\fR
ATHENA.MIT.EDU
OPENLDAP.MIT.EDU
MEDIA-LAB.MIT.EDU
.fi
.in -2
.sp

.LP
\fBExample 6 \fRUsing \fBstashsrvpw\fR
.sp
.LP
The following is an example of the use of the \fBstashsrvpw\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util stashsrvpw -f \e
/home/andrew/conf_keyfile cn=service-kdc,o=org\fR
Password for "cn=service-kdc,o=org": \fIpassword entered\fR
Re-enter password for "cn=service-kdc,o=org": \fIpassword re-entered\fR
.fi
.in -2
.sp

.LP
\fBExample 7 \fRUsing \fBcreate_policy\fR
.sp
.LP
The following is an example of the use of the \fBcreate_policy\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
create_policy -r ATHENA.MIT.EDU \e
-maxtktlife "1  day" -maxrenewlife "1 week" \e
-allow_postdated +needchange -allow_forwardable \fItktpolicy\fR\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
.fi
.in -2
.sp

.LP
\fBExample 8 \fRUsing \fBmodify_policy\fR
.sp
.LP
The following is an example of the use of the \fBmodify_policy\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
modify_policy -r ATHENA.MIT.EDU \e
-maxtktlife "60 minutes" -maxrenewlife "10 hours" \e
+allow_postdated -requires_preauth \fItktpolicy\fR\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
.fi
.in -2
.sp

.LP
\fBExample 9 \fRUsing \fBview_policy\fR
.sp
.LP
The following is an example of the use of the \fBview_policy\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
view_policy -r ATHENA.MIT.EDU \fItktpolicy\fR\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
            Ticket policy: tktpolicy
      Maximum ticket life: 0 days 01:00:00
   Maximum renewable life: 0 days 10:00:00
             Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
.fi
.in -2
.sp

.LP
\fBExample 10 \fRUsing \fBdestroy_policy\fR
.sp
.LP
The following is an example of the use of the \fBdestroy_policy\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
destroy_policy -r ATHENA.MIT.EDU \fItktpolicy\fR\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
This will delete the policy object 'tktpolicy', are you sure?
(type 'yes' to confirm)? \fByes\fR
** policy object '\fItktpolicy\fR' deleted.
.fi
.in -2
.sp

.LP
\fBExample 11 \fRUsing \fBlist_policy\fR
.sp
.LP
The following is an example of the use of the \fBlist_policy\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu \e
list_policy -r ATHENA.MIT.EDU\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
tktpolicy
tmppolicy
userpolicy
.fi
.in -2
.sp

.LP
\fBExample 12 \fRUsing \fBsetsrvpw\fR
.sp
.LP
The following is an example of the use of the \fBsetsrvpw\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw \e
-fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
Password for "cn=service-kdc,o=org": \fIpassword entered\fR
Re-enter password for "cn=service-kdc,o=org": \fIpassword re-entered\fR
.fi
.in -2
.sp

.LP
\fBExample 13 \fRUsing \fBcreate_service\fR
.sp
.LP
The following is an example of the use of the \fBcreate_service\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org create_service \e
-kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
File does not exist. Creating the file /home/andrew/conf_keyfile...
.fi
.in -2
.sp

.LP
\fBExample 14 \fRUsing \fBmodify_service\fR
.sp
.LP
The following is an example of the use of the \fBmodify_service\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org modify_service \e
-realm ATHENA.MIT.EDU cn=service-kdc,o=org\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
Changing rights for the service object. Please wait ... done
.fi
.in -2
.sp

.LP
\fBExample 15 \fRUsing \fBview_service\fR
.sp
.LP
The following is an example of the use of the \fBview_service\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org view_service \e
cn=service-kdc,o=org\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
                       Service dn: cn=service-kdc,o=org
                     Service type: kdc
                Service host list:
                    Realm DN list: cn=ATHENA.MIT.EDU,cn=Kerberos,cn=Security
.fi
.in -2
.sp

.LP
\fBExample 16 \fRUsing \fBdestroy_service\fR
.sp
.LP
The following is an example of the use of the \fBdestroy_service\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org destroy_service \e
cn=service-kdc,o=org\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
This will delete the service object 'cn=service-kdc,o=org', are you sure?
(type 'yes' to confirm)? \fByes\fR
** service object 'cn=service-kdc,o=org' deleted.
.fi
.in -2
.sp

.LP
\fBExample 17 \fRUsing \fBlist_service\fR
.sp
.LP
The following is an example of the use of the \fBlist_service\fR command.

.sp
.in +2
.nf
# \fBkdb5_ldap_util -D cn=admin,o=org list_service\fR
Password for "cn=admin,o=org": \fIpassword entered\fR
cn=service-kdc,o=org
cn=service-adm,o=org
cn=service-pwd,o=org
.fi
.in -2
.sp

.SH ATTRIBUTES
See \fBattributes\fR(7) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	Volatile
.TE

.SH SEE ALSO
.BR kinit (1),
.BR kdc.conf (5),
.BR attributes (7),
.BR kadmin (8)
